Skip to main content

MuraCMS CVE-2025-55041

| EUVDEUVD-2025-208829 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-03-18 mitre
8.0
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.0 HIGH
AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 18, 2026 - 16:15 euvd
EUVD-2025-208829
Analysis Generated
Mar 18, 2026 - 16:15 vuln.today
CVE Published
Mar 18, 2026 - 00:00 nvd
HIGH 8.0

DescriptionCVE.org

MuraCMS through 10.1.10 contains a CSRF vulnerability in the Add To Group functionality for user management (cUsers.cfc addToGroup method) that allows attackers to escalate privileges by adding any user to any group without proper authorization checks. The vulnerable function lacks CSRF token validation and directly processes user-supplied userId and groupId parameters via getUserManager().createUserInGorup(), enabling malicious websites to forge requests that automatically execute when an authenticated administrator visits a crafted page. Adding a user to the Super Admins group (s2 user) is not possible. Successful exploitation results in the attacker gaining privilege escalation both horizontally to other groups and vertically to the admin group. Escalation to the s2 User group is not possible.

AnalysisAI

MuraCMS through version 10.1.10 contains a Cross-Site Request Forgery (CSRF) vulnerability in the user management Add To Group functionality that allows attackers to escalate privileges by adding authenticated users to arbitrary groups without proper authorization validation. An authenticated administrator visiting a malicious webpage can be tricked into adding any user to the Admin group or other privileged groups, though escalation to the Super Admin (s2) group is blocked. This vulnerability enables both horizontal privilege escalation across different user groups and vertical privilege escalation to administrative roles, posing a significant risk to multi-user MuraCMS installations where administrator accounts are targeted.

Technical ContextAI

The vulnerability exists in the cUsers.cfc component's addToGroup method, which handles user group assignment within MuraCMS—a content management system built on ColdFusion/CFML technology. The vulnerable function directly processes userId and groupId parameters submitted via HTTP requests and passes them to the getUserManager().createUserInGroup() backend function without implementing CSRF token validation or cross-request verification. This represents a classic CWE-352 (Cross-Site Request Forgery) issue compounded by insufficient authorization checks (related to CWE-284). The lack of CSRF protection means that state-changing operations (group membership modification) can be initiated from external websites, violating the same-origin policy enforcement that should protect administrative operations. The addToGroup method fails to verify that the request originated from a legitimate MuraCMS admin interface and lacks server-side session binding to validate request authenticity.

RemediationAI

Upgrade MuraCMS to a patched version released after 10.1.10; consult the vendor release notes at https://docs.murasoftware.com/v10/release-notes/ for the specific fixed version number and deployment instructions. As an immediate interim control pending patches, administrators should implement CSRF token validation by adding a CFML-level token check to the addToGroup function in cUsers.cfc, requiring that all user group modification requests include a cryptographically random, session-bound token generated by the application and verified server-side before processing. Additionally, restrict administrative access to the MuraCMS admin interface using network-level controls (IP whitelisting, VPN requirements) and enforce same-site cookie policies (SameSite=Strict) on all session cookies to mitigate cross-site request exploitation. Monitor group membership changes via audit logs and enforce multi-factor authentication for administrative accounts to reduce the impact of compromised admin sessions.

Share

CVE-2025-55041 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy